WS-Security is a proposal for adding message-layer security to SOAP messages, defining standardized locations and syntax by which security tokens (such as X.509 certificates and Kerberos tickets) can be carried within SOAP Headers in order to secure the contents of the SOAP messages.
WS-Security leverages the existing XML Digital Signature and XML Encryption specifications for capturing the results of, respectively, signing and encryption operations in XML syntax. In essence, WS-Security will standardize where the XML Signature and XML Encryption data blocks are carried within a SOAP message.
Why is it needed?
Security mechanisms like TLS (Transport Layer Security) are insufficient for securing Web Services. Since TLS creates a secure channel through which messages flow, it is incapable of differentiated protection, e.g. encrypting and/or signing only particular components of those messages. This is relevant when non-sensitive portions of the message need to be accessed or changed by intermediate actors. Additionally, in a scenario where a SOAP message might flow through multiple actors, TLS is incapable of providing end-to-end protection; TLS only allows each ‘hop’ to be protected-with the resultant security gaps at intermediate actors.
A new OASIS Technical Committee was formed in August 2002 to oversee the standardization of the WS-Security proposal.
Entrust is an active member of the newly formed OASIS Technical Committee working on WS-Security. Entrust already has support for XML Signature and XML Encryption in the Entrust Authority™ Security Toolkit for Java and these are the fundamental building blocks for WS-Security. As the specification progresses, Entrust will build on this existing support to directly support the WS-Security specification itself.